Posts Tagged ‘vulnerability’

Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking.

Dubbed “Devil’s Ivy,” the stack buffer overflow vulnerability allows a remote attacker to crash the SOAP WebServices daemon and could be exploited to execute arbitrary code on the vulnerable devices.

The Devil’s Ivy vulnerability was discovered by researchers while analysing an Internet-connected security camera manufactured by Axis Communications.

“When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed,” researchers say.

“Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.”

Axis confirmed the vulnerability that exists in almost all of its 250 camera models (you can find the complete list of affected camera models here) and has quickly released patched firmware updates on July 6th to address the vulnerability, prompting partners and customers to upgrade as soon as possible.

However, researchers believe that their exploit would work on internet-connected devices from other vendors as well, as the affected software is used by Canon, Siemens, Cisco, Hitachi, and many others.

Axis immediately informed Genivia, the company that maintains gSOAP, about the vulnerability and Genivia released a patch on June 21, 2017.

The company also reached out to electronics industry consortium ONVIF to ensure all of its members, including Canon, Cisco, and Siemens, those who make use of gSOAP become aware of the issue and can develop patches to fix the security hole.

Internet of Things (IoT) devices has always been the weakest link and, therefore, an easy entry for hackers to get into secured networks. So it is always advisable to keep your Internet-connected devices updated and away from the public Internet.

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim’s computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world. The extension has roughly 20 million active users.Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension. To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed. Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

“I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them,” Ormandy said. “This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well.”Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though “there are no workarounds that address this vulnerability.”

Download Cisco WebEx Extension 1.0.12

In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack.

Fortunately, Apple’s Safari, Microsoft’s Internet Explorer and Microsoft’s Edge are not affected by this vulnerability. Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed.The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year.

We had a number of users suggesting that we should have labeled MS14-066 as “Patch Now” instead of just critical. This particular vulnerability probably has the largest potential impact among all of the vulnerabilities patched this Tuesday, and should be considered the first patch to apply, in particular on servers.

Just like OpenSSL implements SSL on many Unix systems, SCHANNEL is the standard SSL library that ships with Windows. Expect most Windows software that takes advantage of SSL to use SCHANNEL .

Microsoft stated that this vulnerability will allow remote code execution and that it can be used to exploit servers. Microsoft also assigned this vulnerability an exploitability of “1”, indicating that an exploit is likely going to be developed soon. But other then that, very little has been released publicly about the nature of the vulnerability.

There is some conflicting information if the bug was found internally or by a third party. The bulletin states: “This security update resolves a privately reported vulnerability” [1] . A blog post about the vulnerability states: “Internally found during a proactive security assessment.” [2] . Finally, Microsoft’s “Acknowledgement” page does not list a source for the vulnerability [3]. It is not clear how far outside of Microsoft the vulnerability was known prior to the patch release.

However, as soon as a patch was released, it can be used to learn more about the vulnerability. It is very hard these days to obfuscate a patch sufficiently to hide the nature of a vulnerability.

So what does this mean for you?

My guess is that you probably have a week, maybe less, to patch your systems before an exploit is released. You got a good inventory of your systems? Then you are in good shape to make this work. For the rest (vast majority?): While you patch, also figure out counter measures and alternative emergency configurations.

The most likely target are SSL services that are reachable from the outside: Web and Mail Servers would be on the top of my list. But it can’t hurt to check the report from your last external scan of your infrastructure to see if you got anything else. Probably a good idea to repeat this scan if you haven’t scheduled it regularly.

Next move on to internal servers. They are a bit harder to reach, but remember that you only need one internal infected workstation to expose them.

Third: Traveling laptops and the like that leave your perimeter. They should already be locked down, and are unlikely to listen for inbound SSL connections, but can’t hurt to double check. Some odd SSL VPN? Maybe some instant messenger software? A quick port scan should tell you more.

You are doing great if you can get these three groups out of the way by the end of the week. Internal clients are less of an issue, but just like “traveling laptops”, they may run some software that listens for inbound SSL connections.

Stick with my old advice: Patching is only in part about speed. Don’t let speed get in the way of good operations and procedures. It is at least as important to patch in a controlled, verifiable and reproducible way. Anything else will leave you open to attack due to incomplete patching. Don’t forget to reboot the system or the patch may not take affect.

Microsoft didn’t mention any workarounds. But this may change as we learn more about the issue. So make sure that you know how to disable certain ciphers or certain SSL modes of operations. And please take this as an other opportunity to get your inventory of hardware and software sorted out.

Patch Now? Maybe better: Patch first / Patch soon. This vulnerability could turn into a worm like “slapper”, an OpenSSL worm exploiting Apache back in the day.

I am not aware of any public IDS signatures for this problem so far, but it may make sense to check for SSL error even on non-Windows servers to spot possible exploit attempts.

To make things more interesting (confusing?), the Cisco Talos blog states that “[w]hile it is covered by only a single CVE, there’s actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses”. [4] It would be really odd from Microsoft to only use a single CVE number for various vulnerabilities only related by the common library they happen to be found in. But I do give Cisco some credibility here as they are working closely with Microsoft and may have gotten more details from Microsoft then what was published in the bulletin.

Cisco also published a number of Snort rules for MS14-066. If you have a VRT subscription, you should see these rules with an SID from 32404 through 32423.

Android have been a long time target for cyber criminals, but now it seems that they have turned their way towards iOS devices. Apple always says that hacking their devices is too difficult for cyber crooks, but a single app has made it possible for anyone to hack an iPhone.

A security flaw in Apple’s mobile iOS operating system has made most iPhones and iPads vulnerable to cyber attacks by hackers seeking access to sensitive data and control of their devices, security researchers warned.

The details about this new vulnerability was published by the Cyber security firm FireEye on its blog on Monday, saying the flaw allows hackers to access devices by fooling users to download and install malicious iOS applications on their iPhone or iPad via tainted text messages, emails and Web links.

MASQUE ATTACK – REPLACING TRUSTED APPS

The malicious iOS apps can then be used to replace the legitimate apps, such as banking or social networking apps, that were installed through Apple’s official App Store through a technique that FireEye has dubbed “Masque Attack.”

“This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier,” the researchers said on the company’s blog. “An attacker can leverage this vulnerability both through wireless networks and USB.”

Masque attacks can be used by cyber criminals to steal banking and email login credentials or users’ other sensitive information.

Security researchers found that the Masque attack works on Apple’s mobile operating system including iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta version and that all of the iPhones and iPads running iOS 7 or later, regardless of whether or not the device is jailbroken are at risk.

According to FireEye, the vast majority, i.e. 95 percent, of all iOS devices currently in use are potentially vulnerable to the attack.

MASQUE ATTACK IS MORE DANGEROUS THAN WIRELURKER

The Masque Attack technique is the same used by “WireLurker,” malware attack discovered last week by security firm Palo Alto Networks targeting Apple users in China, that allowed unapproved apps designed to steal information downloaded from the Internet. But this recently-discovered malware threat is reportedly a “much bigger threat” than Wirelurker.

“Masque Attacks can pose much bigger threats than WireLurker,” the researchers said. “Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI.”

“Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”

HOW TO PROTECT YOURSELF FROM MASQUE ATTACK

Apple devices running iOS are long considered more safe from hackers than devices running OS like Microsoft’s Windows and Google’s Android, but iOS have now become more common targets for cybercriminals.

In order to avoid falling victim to Masque Attack, users can follow some simple steps given below:

Do not download any apps offer to you via email, text messages, or web links.

Don’t install apps offered on pop-ups from third-party websites.

If iOS alerts a user about an “Untrusted App Developer,” click “Don’t Trust” on the alert and immediately uninstall the application.

In short, a simple way to safeguard your devices from these kind of threats is to avoid downloading apps from untrusted sources, and only download apps directly from the App Store.

CVE-2014-4877: Wget FTP Symlink Attack VulnerabilityThe open-source Wget application which is most widely used on Linux and Unix systems for retrieving files from the web has found vulnerable to a critical flaw.GNU Wget is a command-line utility designed to retrieve files from the Web using HTTP, HTTPS, and FTP, the most widely used Internet protocols. Wget can be easily installed on any Unix-like system and has been ported to many environments, including Microsoft Windows, Mac OS X, OpenVMS, MorphOS and AmigaOS.When a recursive directory fetch over FTP server as the target, it would let an attacker “create arbitrary files, directories or symbolic links” due to a symlink flaw.IMPACT OF SYMLINK ATTACK “It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP,” developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment.A remote unauthenticated malicious FTP server connected to the victim via wget would allow attackers to do anything they wanted. Wget could download and create or overwrite existing files within the context of the user running wget.The vulnerability was first reported to the GNU Wget project by HD Moore, chief research officer at Rapid7. and is publicly identified as CVE-2014-4877. The flaw is considered critical since wget is present on nearly every Linux server in the world, and is installable although not by default on OS X machines as well, so needs a patch as soon as possible.PATCH AVAILABLE “This flaw can lead to remote code execution through system-level vectors such as cron and user-level vectors such as bash profile files and SSH authorized_keys,” Moore wrote.The vulnerability has now been fixed by the Wget project in wget 1.16, which blocks the default setting that allowed the setting of local symlinks. “Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch,” Moore said.

Today Microsoft has released its Advance Notification for the month of June 2014 Patch Tuesday releasing seven security Bulletins, which will address several vulnerabilities in its products, out of which two are marked critical and rest are important in severity.

This Tuesday, Microsoft will issue Security Updates to address seven major vulnerabilities and all those are important for you to patch, as the flaws are affecting various Microsoft software, including Microsoft Word, Microsoft Office and Internet Explorer.

CRITICAL VULNERABILITY THAT YOU MUST PATCH

Bulletin one is considered to be the most critical one, which will address a the zero-day Remote Code Execution vulnerability, affecting all versions of Internet Explorer, including IE11 in Windows 8.1.

All server versions of Windows are affected by this vulnerability, but at low level of severity because by default, Internet Explorer runs in Enhanced Security Configuration and just because Server Core versions of Windows Server do not include Internet Explorer, so are not affected.

The vulnerability allows a remote attacker to execute arbitrary code using JavaScript, but so far, the zero-day flaw is not known to have been used in any attacks, according to Microsoft. “The Update for Internet Explorer addresses CVE-2014-1770, which we have not seen used in any active attacks.”

Microsoft kept hidden this critical Internet explorer Zero-Day vulnerability from all of us since October 2013, but last month the team at ‘Zero Day Initiative’ disclosed the vulnerability publically when Microsoft failed to respond and patch this flaw within 180 days after receiving the details from security researcher.

The second Bulletin addresses one or more flaws in both Windows and Office products. It is also a Remote Code Execution vulnerability and rated ‘Critical’ on all versions of Windows including Server Core; Microsoft Live Meeting 2007 Console and all versions of Microsoft Lync, excluding the Lync Server. The flaw is also rated ‘Important’ for Office 2007 and Office 2010.

These critical security updates are really important for users to patch and both the patches will require a restart after the installation of the new versions.

OTHER IMPORTANT PATCHES TO INSTALL

Remaining five bulletins will address one or more remote code execution vulnerabilities in Office, an information disclosure bugs in Windows, information disclosure bugs in Lync Server, a Denial of Service (DoS) bug in all Windows versions since Vista, and a “tampering” vulnerability in Windows including Windows 7, 8.x and Server 2012.

NOT FOR XP THIS TIME

Microsoft will not release any security update for its older version of Windows XP, like last month it provided an ‘out-of-band security update’ for Windows XP machines affected by the zero-day vulnerability.

Microsoft stopped supporting Windows XP Operating System. So, if you are still running this older version of operating system on your PCs, we again advise you to move on to other operating system in order to receive updates and secure yourself from upcoming threats.

[Webcast Correction] Important correction to the webcast. The MITM attack does not just affect DTLS. It does affect TLS (TCP) as well.

Quick Q&A Summary from the webcast:

– The MITM vulnerablity only affects servers that run OpenSSL 1.0.1 but all clients. Both have to be vulnerable to exploit this problem.

– The MITM vulnerability is not just DTLS (sorry, had that wrong during the webcast)

– Common DTLS applications: Video/Voice over IP, LDAP, SNMPv3, WebRTC

​- Web servers (https) can not use DTLS.

– OpenVPN’s "auth-tls" feature will likely mitigate all these vulnerabilities

– Even if you use "commercial software", it may still use OpenSSL.

———

The OpenSSL team released a critical security update today. The update patches 6 flaws. 1 of the flaws (CVE-2014-0195) may lead to arbitrary code execution. [1]

All versions of OpenSSL are vulnerable to CVE-2014-0195, but this vulnerability only affects DTLS clients or servers (look for SSL VPNs… not so much HTTPS).

I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers (which is why I stuck with "important" for servers). The discoverer of this vulnerability released details here: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html .

Microsoft will release a special update later today (10am PT, 1pm ET, 7pm UTC) fixing the Internet Explorer vulnerability which has been used in targeted attacks recently. The vulnerability was announced late last week and affects Internet Explorer 6 and later on Windows versions back to Windows XP. The patch will be published as MS14-021 in line with the May update which is still expected for Tuesday, May 13th.

We do rate this bulletin as "PATCH NOW!" for clients. Even though many organizations started to move away from Internet Explorer as a primary browser, it may still launch in some cases and unless you are using a non-Microsoft operating system you are likely vulnerable. Even servers should apply this patch, but it is less likely that the vulnerability is exposed on a server. Microsoft downplays the risk of the vulnerability for servers by labeling it as "Moderate" due to the crippled default configuration of Internet Explorer on servers.

The patch pre-announcement does specifically list Widnows XP SP3 as vulnerable, indicating that the patch may cover Windows XP SP 3 even though no more patches were expected for Windows XP.

The best advice for now is to find another Browser and dump Internet Explorer. Microsoft’s tepid response to the threat and the fact that Internet Explorer Browsers may have been exploited over a considerable time period suggests that the Browser cannot be trusted.All Microsoft Explorer Browsers from version 6 up through version 11 are potentially impacted by the vulnerability. While FireEye says that the exploit was designed mostly against Explorer Versions 9 to 11, the earlier Explorer products also are vulnerable. If we just consider Versions 9 to 11 we are talking about 25% of the Browser market; if all versions are considered we are at nearly half the Browser market.Spies, intruders and hackers usually go after low hanging fruit, and with Microsoft dominating the Browser marketplace, it is a prime target. But that is changing. Google Chrome is growing rapidly in market share, partly because it offers Gmail and functions such as Google Docs.Right now we don’t know if Google, or Firefox which makes an excellent Browser, or any other such as Opera are safer than Microsoft’s Internet Explorer.